CanSecWest – PWN2OWN overview – Update

The CanSecWest security conference in Vancouver in currently under way. In addition to their normal presentation lineup CanSecWest also hosts the PWN2OWN competition organized by ZDI where researcher’s bring their exploits and try them against the latest software versions. The competition is both technically challenging and politically loaded – two years ago research company VUPEN made it into the headlines when they said they would not sell their Chrome exploit to Google for even 1 Million US Dollars.

This year the controversy was around Google and ZDI themselves entering the competition, which some of the other competitor thought unfair. All prize money from these exploits where Google exploited Safari and ZDI Internet Explorer was donated to charity – the Red Cross Canada.

Out of the US$ 850,000 VUPEN claimed almost half: US$ 400,000 went to the exploit specialist from France.

Some surprises: Overall only one exploit attempt failed (against IE), even though VUPEN withdrew from two targets Safari and Java (another potential US$ 95,000), Java ended up making it through the contest without any exploit attempts and so did the combination Windows 8.1 plus EMET via IE11, codename Exploit Unicorn , which had a prize money of US$ 150,000 assigned to it. One more reason to look at EMET for your workstations.